1. Field of the Invention
The present invention relates to systems for detecting computer viruses and malicious software. More specifically, the present invention relates to a method and an apparatus for emulating computer viruses or other malicious software that operates by patching additional instructions into an emulator in order to aid in the process of detecting, decrypting or disinfecting code containing a computer virus or other malicious software.
2. Related Art
Malicious software, such as a computer virus, can enter a computer system in a number of ways. It can be introduced on a disk or a CD-ROM that is inserted into the computer system. It can also enter from a computer network, for example, within an email message.
If malicious software is executed by a computer system, it can cause a number of problems. The software can compromise security, by stealing passwords; by creating a “back door” into the computer system; or by otherwise accessing sensitive information. The software can also cause damage to the computer system, for example, by deleting files or by causing the computer system to fail.
Some types of malicious programs can be easily detected using simple detection techniques, such as scanning for a search string. However, this type of detection process can be easily subverted by converting a malicious algorithm into program code in different ways.
Another approach to detecting malicious software is to run a program on a real machine while attempting to intercept malicious actions. This technique, which is known as “behavior blocking,” has a number of disadvantages. In spite of the attempt to intercept malicious actions, the program may nevertheless cause harm to the computer system. Furthermore, the behavior blocking mechanism typically cannot view an entire log of actions in making a blocking determination. Hence, the behavior blocking mechanism may make sub-optimal blocking decisions, which means harmless programs may be blocked or harmful programs may be allowed to execute.
Yet another approach to detecting malicious software is to “emulate” suspect code within an insulated environment in a computer system so that the computer system is protected from malicious actions of the suspect code.
One disadvantage to emulation is that it is almost impossible to provide complete emulation for all program instructions, all operating system calls and operating system environments that may be accessed by a piece of code being emulated without replicating the entire operating system in the process. Hence, in practice, emulators are typically able to emulate only commonly occurring program instructions and system calls.
This problem can be overcome by updating and recompiling an emulator to implement new system calls and new program instructions as different pieces of malicious software are encountered that make use of these new system calls and new program instructions. However, doing so can lead to logistical problems in keeping emulation programs up to date.
Another problem with current emulators is that they cannot deal with conflicting emulator environments. For example, one virus may be triggered by a system call returning the year 1999, while another virus is triggered by the same system call returning the year 2000.
What is needed is a method and an apparatus for emulating suspect code that can be easily reconfigured to accommodate new program instructions, system calls and emulation environments.